One really must appreciate the job of corporate IT security. In a world where enterprise technology advances what is possible at a brutal pace, it's the security professional's job to purposely stand in the way of bad ideas.
At the same time, though, that's a lot of power to put into one group. Too often, an overburdened security team simply can't keep up with the evolving IT landscape. Cloud computing and its risks, in particular, is one area that gives constant worry to security administrators.
At the end of the day, your service provider losing data is no different than your own IT losing that same data.
Data ownership represents their biggest fear. When data leaves the confines of your protected network, who actually owns it? Who has access to it? How is it combined with the data of others? What controls are in place? Some cloud services can't answer these questions with the clarity required to pass specific audits.
Provability represents the secondary concern, as the admin has to ask some important questions: "How can my cloud provider prove it's actually doing what it says? And if a cloud provider asserts that it meets the criteria for PCI DSS or HIPAA, what controls are in place to prove that assertion?"
Convincing IT security that cloud computing is a good idea requires a two-pronged approach. The first phase requires you to remove that traditional "no" response to the idea of cloud. Only by first reducing the visceral reaction to cloud computing's mere mention can one move on to the implementation-oriented second phase.
Cloud computing and credit cards?
Most of us carry around a wallet, yes? And inside that wallet are a series of items, maybe a few dollars or some credit cards. In our society, money represents a universally-established currency that contains a unit of value. If I possess a dollar, then I also possess one unit of that currency. I can also prove I own it, because I hold it in my hand.
The standard dollar is a visible metaphor for how data is managed in today's IT. I can see that data in my data center, therefore it’s mine. But things begin to get more complicated when I pull out my credit card. When you pass that card over to purchase something, where exactly, physically, geographically, is the money stored that's associated with the card?
Unless you work for a credit card company, you probably don't know. You also don't own any of the data associated with that credit card, nor do you have direct provability that Visa and MasterCard are in fact following all appropriate security practices. What you do have is trust.
Not long ago, no one would believe that a piece of plastic containing a series of numbers could represent tens of thousands of dollars. What's different today is a societal evolution toward data security not as an element of possession or ownership but more as an element of trust and risk/harm reduction. In the credit card world, risk and harm reduction are manifested via member protection policies. In the data center and cloud computing world, the exact same policies can hold true.
The principals of trust surrounding cloud computing today follow the classic business school definition of going concern. Providers want to sell you services out of profit motive. Assuming you've done your due diligence in terms of vetting those providers, their going concern must become a primary source of trust, just like what you have with your credit card.
Service providers are run by humans, which means mistakes will eventually be made. But just like with the credit card providers, these mistakes can be compensated through risk/harm reduction measures. At the end of the day, your service provider losing a piece of data is in reality no different than your own IT screwing up and losing that same piece of data. Even better, you have some recourse with a provider, while with your internal IT you have none.
The second phase of cloud convincing
This metaphor has turned roomfuls of IT security professionals on to the idea of cloud computing. It's only the start, though. I mentioned earlier that this process involves two phases, and the second is much easier than the first. It requires deconstructing the nebulous and, honestly, scary notion of cloud computing (stated with an appropriately booming voice) into the actual implementation.
Focus your security team's attentions toward a small subset of cloud computing options that make fiscal, operational and strategic sense for your business. These can be activities that your organization doesn't perform well or you can't do affordably because of economies of scale. Maybe this is hosted email or file storage in the cloud, maybe it's something as unobtrusive as backups or application services in the cloud. Perhaps even DMZ services in the cloud, such as the hosting of externally-facing Web and application servers, would do. Start small; nurture trust.
In a way, our industry has done itself a disservice by referring to this productization of IT services as "cloud computing." Had we just called it what it really is -- IT services managed by someone else -- we might never have introduced such irrational fear in the first place. In a way, our job is now damage control.
ABOUT THE AUTHOR
Greg Shields, Microsoft MVP, is a partner at Concentrated Technology. Get more of Greg's Jack-of-all-trades tips and tricks at www.ConcentratedTech.com.